diff --git a/tests/v1/features/security_monitoring.feature b/tests/v1/features/security_monitoring.feature index 4d4904e937..34fddb3dc1 100644 --- a/tests/v1/features/security_monitoring.feature +++ b/tests/v1/features/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Bad Request" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Not Found" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -25,7 +25,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "OK" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -34,7 +34,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -42,7 +42,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -50,7 +50,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -59,7 +59,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -67,7 +67,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -75,7 +75,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" diff --git a/tests/v2/features/csm_agents.feature b/tests/v2/features/csm_agents.feature index 49cde30aa9..c5c25bb35e 100644 --- a/tests/v2/features/csm_agents.feature +++ b/tests/v2/features/csm_agents.feature @@ -12,13 +12,13 @@ Feature: CSM Agents And a valid "appKeyAuth" key in the system And an instance of "CSMAgents" API - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get all CSM Agents returns "OK" response Given new "ListAllCSMAgents" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get all CSM Serverless Agents returns "OK" response Given new "ListAllCSMServerlessAgents" request When the request is sent diff --git a/tests/v2/features/csm_coverage_analysis.feature b/tests/v2/features/csm_coverage_analysis.feature index 8c3689dbfa..a6c05b8dfc 100644 --- a/tests/v2/features/csm_coverage_analysis.feature +++ b/tests/v2/features/csm_coverage_analysis.feature @@ -12,19 +12,19 @@ Feature: CSM Coverage Analysis And a valid "appKeyAuth" key in the system And an instance of "CSMCoverageAnalysis" API - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Cloud Accounts Coverage Analysis returns "OK" response Given new "GetCSMCloudAccountsCoverageAnalysis" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Hosts and Containers Coverage Analysis returns "OK" response Given new "GetCSMHostsAndContainersCoverageAnalysis" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Serverless Coverage Analysis returns "OK" response Given new "GetCSMServerlessCoverageAnalysis" request When the request is sent diff --git a/tests/v2/features/csm_threats.feature b/tests/v2/features/csm_threats.feature index fe2ddf85d8..2522d1efeb 100644 --- a/tests/v2/features/csm_threats.feature +++ b/tests/v2/features/csm_threats.feature @@ -13,7 +13,7 @@ Feature: CSM Threats And a valid "appKeyAuth" key in the system And an instance of "CSMThreats" API - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -21,7 +21,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "Conflict" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -29,7 +29,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Conflict - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -37,7 +37,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -45,7 +45,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "Conflict" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -53,7 +53,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -61,7 +61,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule with set action returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -69,7 +69,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule with set action with expression returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -77,35 +77,35 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "Bad Request" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "Conflict" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "OK" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy_2"}, "type": "policy"}} When the request is sent Then the response status is 200 OK - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "DeleteCloudWorkloadSecurityAgentRule" request @@ -113,14 +113,14 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -130,14 +130,14 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection policy returns "Not Found" response Given new "DeleteCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "DeleteCSMThreatsAgentPolicy" request @@ -145,26 +145,26 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Download the Workload Protection policy (US1-FED) returns "OK" response Given new "DownloadCloudWorkloadPolicyFile" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Download the Workload Protection policy returns "OK" response Given new "DownloadCSMThreatsPolicy" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "GetCloudWorkloadSecurityAgentRule" request @@ -172,14 +172,14 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -189,14 +189,14 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection policy returns "Not Found" response Given new "GetCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "GetCSMThreatsAgentPolicy" request @@ -204,25 +204,25 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection agent rules (US1-FED) returns "OK" response Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection agent rules returns "OK" response Given new "ListCSMThreatsAgentRules" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection policies returns "OK" response Given new "ListCSMThreatsAgentPolicies" request When the request is sent Then the response status is 200 OK - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Bad Request" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -231,7 +231,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Concurrent Modification" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -240,7 +240,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" @@ -248,7 +248,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -257,7 +257,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -267,7 +267,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Concurrent Modification" response Given there is a valid "agent_rule_rc" in the system And there is a valid "policy_rc" in the system @@ -277,7 +277,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Not Found" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentRule" request @@ -286,7 +286,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -297,7 +297,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request @@ -306,7 +306,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Concurrent Modification" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request @@ -315,7 +315,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Not Found" response Given new "UpdateCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" @@ -323,7 +323,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Bad Request - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index 5695a7ea4a..0296f8f506 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Accepted" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Not Found" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -99,21 +99,21 @@ Feature: Security Monitoring And the response "data.attributes.insights" has item with field "resource_id" with value "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=" And the response "data.attributes.insights" has item with field "resource_id" with value "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Bad Request" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": []}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Not Found" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["non-existent-rule-id"]}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "OK" response Given there is a valid "security_rule" in the system And new "BulkExportSecurityMonitoringRules" request @@ -121,7 +121,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Bad Request" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -129,7 +129,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Not Found" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -137,7 +137,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "OK" response Given operation "CancelThreatHuntingJob" enabled And operation "RunThreatHuntingJob" enabled @@ -147,7 +147,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Bad Request" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -155,7 +155,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Conflict" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -163,7 +163,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Not Found" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -171,7 +171,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "OK" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -179,7 +179,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -187,7 +187,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -195,7 +195,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -203,7 +203,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -211,7 +211,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -219,7 +219,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -227,7 +227,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Bad Request" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -235,7 +235,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Not Found" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -243,7 +243,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "OK" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -251,21 +251,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Bad Request" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Not Found" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "OK" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"_{{ unique_hash }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} @@ -273,21 +273,21 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "terraformContent" is equal to "resource \"datadog_security_monitoring_rule\" \"_{{ unique_hash }}\" {\n\tname = \"_{{ unique_hash }}\"\n\tenabled = true\n\tquery {\n\t\tquery = \"@test:true\"\n\t\tgroup_by_fields = []\n\t\thas_optional_group_by_fields = false\n\t\tdistinct_fields = []\n\t\taggregation = \"count\"\n\t\tname = \"\"\n\t\tdata_source = \"logs\"\n\t}\n\toptions {\n\t\tkeep_alive = 3600\n\t\tmax_signal_duration = 86400\n\t\tdetection_method = \"threshold\"\n\t\tevaluation_window = 900\n\t}\n\tcase {\n\t\tname = \"\"\n\t\tstatus = \"info\"\n\t\tnotifications = []\n\t\tcondition = \"a > 0\"\n\t}\n\tmessage = \"Test rule\"\n\ttags = []\n\thas_extended_title = false\n\ttype = \"log_detection\"\n}\n" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Bad Request" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Not Found" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "OK" response Given new "ConvertExistingSecurityMonitoringRule" request And there is a valid "security_rule_hash" in the system @@ -368,7 +368,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a cloud_configuration rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"cloud_configuration","name":"{{ unique }}_cloud","isEnabled":false,"cases":[{"status":"info","notifications":["channel"]}],"options":{"complianceRuleOptions":{"resourceType":"gcp_compute_disk","complexRule": false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]}}},"message":"ddd","tags":["my:tag"],"complianceSignalOptions":{"userActivationStatus":true,"userGroupByFields":["@account_id"]},"filters":[{"action":"require","query":"resource_id:helo*"},{"action":"suppress","query":"control:helo*"}]} @@ -379,21 +379,21 @@ Feature: Security Monitoring And the response "message" is equal to "ddd" And the response "options.complianceRuleOptions.resourceType" is equal to "gcp_compute_disk" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Bad Request" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:test"}}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Conflict" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"attributes": {"enabled": true, "query": "security:monitoring", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "increase", "tags": ["team:database", "source:cloudtrail"]}, "type": "critical_assets"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "OK" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:{{ unique_lower_alnum }}", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "decrease", "tags": ["team:security", "env:test"]}}} @@ -402,14 +402,14 @@ Feature: Security Monitoring And the response "data.type" is equal to "critical_assets" And the response "data.attributes.severity" is equal to "decrease" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Bad Request" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/k9-cloud-security-platform + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Conflict" response Given there is a valid "custom_framework" in the system And new "CreateCustomFramework" request @@ -417,21 +417,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @replay-only @skip-terraform-config @team:DataDog/k9-cloud-security-platform + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "OK" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"create-framework-new","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":""}],"cases":[{"status":"info"}],"options":{},"message":"Test rule","tags":[],"isEnabled":true} When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "referenceTables":[{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]} @@ -442,7 +442,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]} @@ -456,7 +456,7 @@ Feature: Security Monitoring And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]} @@ -467,7 +467,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "anomaly_detection" And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]} @@ -477,7 +477,7 @@ Feature: Security Monitoring And the response "type" is equal to "log_detection" And the response "options.detectionMethod" is equal to "sequence_detection" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'third_party' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"thirdPartyCases":[{"query":"status:error","name":"high","status":"high"},{"query":"status:info","name":"low","status":"low"}],"queries":[],"cases":[],"message":"This is a third party rule","options":{"detectionMethod":"third_party","keepAlive":0,"maxSignalDuration":600,"thirdPartyRuleOptions":{"defaultStatus":"info","rootQueries":[{"query":"source:guardduty @details.alertType:*EC2*", "groupByFields":["instance-id"]},{"query":"source:guardduty", "groupByFields":[]}]}}} @@ -488,7 +488,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "third_party" And the response "thirdPartyCases[0].query" is equal to "status:error" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'application_security 'returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]} @@ -498,7 +498,7 @@ Feature: Security Monitoring And the response "type" is equal to "application_security" And the response "message" is equal to "Test rule" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":false}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]} @@ -509,7 +509,7 @@ Feature: Security Monitoring And the response "message" is equal to "test" And the response "options.detectionMethod" is equal to "impossible_travel" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'signal_correlation' returns "OK" response Given there is a valid "security_rule" in the system And there is a valid "security_rule_bis" in the system @@ -522,7 +522,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test signal correlation rule" And the response "isEnabled" is equal to true - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'workload_security' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type": "workload_security"} @@ -561,7 +561,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Successfully created the notification rule. - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} @@ -572,28 +572,28 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "schedulingOptions" is equal to {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"} - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled rule without rrule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Bad Request" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Conflict" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "OK" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "{{ unique }}", "query": "service:{{ unique_alnum }}"}, "type": "security_filters"}} @@ -605,21 +605,21 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Bad Request" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Conflict" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} @@ -629,7 +629,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to true And the response "data.attributes.rule_query" is equal to "type:log_detection source:cloudtrail" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule with an exclusion query returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "data_exclusion_query": "account_id:12345"}, "type": "suppressions"}} @@ -708,7 +708,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Accepted" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -716,7 +716,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Not Found" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -724,14 +724,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "Not Found" response Given new "DeleteSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "OK" response Given there is a valid "critical_asset" in the system And new "DeleteSecurityMonitoringCriticalAsset" request @@ -739,7 +739,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "Bad Request" response Given new "DeleteCustomFramework" request And request contains "handle" parameter with value "handle-does-not-exist" @@ -747,7 +747,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "DeleteCustomFramework" request @@ -756,14 +756,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a non existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter with value "ThisRuleIdProbablyDoesntExist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "No Content" response Given there is a valid "security_filter" in the system And new "DeleteSecurityFilter" request @@ -771,14 +771,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "Not Found" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "OK" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -800,14 +800,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "Not Found" response Given new "DeleteSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "OK" response Given there is a valid "suppression" in the system And new "DeleteSecurityMonitoringSuppression" request @@ -830,7 +830,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Bad Request" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -838,7 +838,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Conflict" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -846,7 +846,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Not Found" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -854,7 +854,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "OK" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -862,14 +862,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "OK" response Given there is a valid "security_rule" in the system And new "DeleteSecurityMonitoringRule" request @@ -922,7 +922,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a cloud configuration rule's details returns "OK" response Given there is a valid "cloud_configuration_rule" in the system And new "GetSecurityMonitoringRule" request @@ -932,14 +932,14 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud" And the response "id" has the same value as "cloud_configuration_rule.id" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "Not Found" response Given new "GetSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "OK" response Given new "GetSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -949,7 +949,7 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "critical_asset.data.attributes.rule_query" And the response "data.attributes.severity" is equal to "medium" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "Bad Request" response Given new "GetCustomFramework" request And request contains "handle" parameter with value "frame-does-not-exist" @@ -957,7 +957,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "GetCustomFramework" request @@ -991,7 +991,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data.attributes.evaluation" is equal to "pass" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -999,7 +999,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Not Found" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1007,7 +1007,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "OK" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1015,7 +1015,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Bad Request" response Given operation "GetThreatHuntingJob" enabled And new "GetThreatHuntingJob" request @@ -1023,7 +1023,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Not Found" response Given operation "GetThreatHuntingJob" enabled And new "GetThreatHuntingJob" request @@ -1031,7 +1031,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "OK" response Given operation "GetThreatHuntingJob" enabled And operation "RunThreatHuntingJob" enabled @@ -1041,7 +1041,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1049,7 +1049,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Not Found" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1057,7 +1057,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "OK" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1065,21 +1065,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "Bad Request" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "OK" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/k9-cloud-security-platform @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a list of security signals returns "OK" response with pagination Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "{{ timeISO("now-15m") }}", "query": "security:attack status:high", "to": "{{ timeISO("now") }}"}, "page": {"limit": 2}, "sort": "timestamp"} @@ -1087,19 +1087,19 @@ Feature: Security Monitoring Then the response status is 200 OK And the response has 3 items - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "Bad Request" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "OK" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/k9-cloud-security-platform @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a quick list of security signals returns "OK" response with pagination Given new "ListSecurityMonitoringSignals" request And request contains "page[limit]" parameter with value 2 @@ -1107,14 +1107,14 @@ Feature: Security Monitoring Then the response status is 200 OK And the response has 3 items - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "Not Found" response Given new "GetSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "OK" response Given new "GetSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -1124,7 +1124,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}" And the response "id" has the same value as "security_rule.id" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Bad Request" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1132,7 +1132,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Not Found" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1140,7 +1140,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1148,14 +1148,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "Not Found" response Given new "GetSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "OK" response Given there is a valid "security_filter" in the system And new "GetSecurityFilter" request @@ -1168,28 +1168,28 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude logs from staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "Not Found" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptCL3QUEm3nt2" When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "OK" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE" When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "Not Found" response Given new "GetSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "OK" response Given new "GetSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -1199,14 +1199,14 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "suppression.data.attributes.rule_query" And the response "data.attributes.suppression_query" is equal to "env:test" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "Not Found" response Given new "GetSuppressionVersionHistory" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "OK" response Given new "GetSuppressionVersionHistory" request And there is a valid "suppression" in the system @@ -1214,13 +1214,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all critical assets returns "OK" response Given new "ListSecurityMonitoringCriticalAssets" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all security filters returns "OK" response Given new "ListSecurityFilters" request When the request is sent @@ -1228,13 +1228,13 @@ Feature: Security Monitoring And the response "data" has item with field "attributes.filtered_data_type" with value "logs" And the response "data" has item with field "attributes.is_builtin" with value true - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response Given new "ListSecurityMonitoringSuppressions" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with pagination Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1246,7 +1246,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data" has length 1 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort ascending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1257,7 +1257,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression {{ unique_hash }}" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort descending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1268,28 +1268,28 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression2 {{ unique_hash }}" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "Not Found" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "OK" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "Not Found" response Given new "GetCriticalAssetsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "OK" response Given new "GetCriticalAssetsAffectingRule" request And there is a valid "security_rule" in the system @@ -1341,7 +1341,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 Notification rule details. - @skip-go @skip-java @skip-ruby @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-ruby @team:DataDog/k9-cloud-siem Scenario: Get rule version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1354,14 +1354,14 @@ Feature: Security Monitoring And the response "data.attributes.count" is equal to 1 And the response "data.attributes.data[1].rule.name" has the same value as "security_rule.name" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "Not Found" response Given new "GetSuppressionsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "OK" response Given new "GetSuppressionsAffectingRule" request And there is a valid "security_rule" in the system @@ -1369,14 +1369,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "Bad Request" response Given new "GetSuppressionsAffectingFutureRule" request And body with value {"invalid_key":"invalid_value"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "OK" response Given new "GetSuppressionsAffectingFutureRule" request And body from file "security_monitoring_future_rule_suppression_payload.json" @@ -1470,28 +1470,28 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Bad Request" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Not Found" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "OK" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List historical jobs returns "OK" response Given operation "ListThreatHuntingJobs" enabled And operation "RunThreatHuntingJob" enabled @@ -1501,14 +1501,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "Bad Request" response Given new "GetResourceEvaluationFilters" request And request contains "account_id" parameter with value "123456789" When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "OK" response Given new "GetResourceEvaluationFilters" request And request contains "cloud_provider" parameter with value "aws" @@ -1516,13 +1516,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List rules returns "Bad Request" response Given new "ListSecurityMonitoringRules" request When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: List rules returns "OK" response Given new "ListSecurityMonitoringRules" request When the request is sent @@ -1574,14 +1574,14 @@ Feature: Security Monitoring And the response "meta.page" has field "after" And the response "links" has field "next" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List threat hunting jobs returns "Bad Request" response Given operation "ListThreatHuntingJobs" enabled And new "ListThreatHuntingJobs" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List threat hunting jobs returns "OK" response Given operation "ListThreatHuntingJobs" enabled And new "ListThreatHuntingJobs" request @@ -1640,7 +1640,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -1648,7 +1648,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -1656,7 +1656,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -1779,7 +1779,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Bad Request" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1787,7 +1787,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Not Found" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1795,7 +1795,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Status created" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1803,7 +1803,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Status created - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Bad Request" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1811,7 +1811,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Not Found" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1819,7 +1819,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "OK" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1851,21 +1851,21 @@ Feature: Security Monitoring And the response "meta.page" has field "after" And the response "links" has field "next" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Bad Request" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Not Found" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 404 Not Found - @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "OK" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [{"name": "","status": "info","notifications": [],"condition": "a > 0"}],"hasExtendedTitle": true,"isEnabled": true,"message": "My security monitoring rule message.","name": "My security monitoring rule.","options": {"decreaseCriticalityBasedOnEnv": false,"detectionMethod": "threshold","evaluationWindow": 0,"keepAlive": 0,"maxSignalDuration": 0},"queries": [{"query": "source:source_here","groupByFields": ["@userIdentity.assumed_role"],"distinctFields": [],"aggregation": "count","name": ""}],"tags": ["env:prod", "team:security"],"type": "log_detection"}, "ruleQueryPayloads": [{"expectedResult": true,"index": 0,"payload": {"ddsource": "source_here","ddtags": "env:staging,version:5.1","hostname": "i-012345678","message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World","service": "payment","userIdentity": {"assumed_role" : "fake assumed_role"}}}]} @@ -1873,7 +1873,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "results[0]" is equal to true - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Bad Request" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1881,7 +1881,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Not Found" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1889,7 +1889,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "OK" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1897,7 +1897,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a cloud configuration rule's details returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "cloud_configuration_rule" in the system @@ -1908,7 +1908,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud_updated" And the response "id" has the same value as "cloud_configuration_rule.id" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Bad Request" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" @@ -1916,7 +1916,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter from "REPLACE.ME" @@ -1924,7 +1924,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Not Found" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000001" @@ -1932,7 +1932,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "OK" response Given new "UpdateSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -1945,7 +1945,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to false And the response "data.attributes.version" is equal to 2 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "Bad Request" response Given new "UpdateCustomFramework" request And request contains "handle" parameter with value "create-framework-new" @@ -1954,7 +1954,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "UpdateCustomFramework" request @@ -1964,7 +1964,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Bad Request" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -1972,7 +1972,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Concurrent Modification" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -1980,7 +1980,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Not Found" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -1988,7 +1988,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "OK" response Given new "UpdateSecurityFilter" request And there is a valid "security_filter" in the system @@ -2000,7 +2000,7 @@ Feature: Security Monitoring And the response "data.attributes.filtered_data_type" is equal to "logs" And the response "data.attributes.name" is equal to "{{ unique }}" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Bad Request" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2008,7 +2008,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2016,7 +2016,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Not Found" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2024,7 +2024,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "OK" response Given new "UpdateSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -2036,7 +2036,7 @@ Feature: Security Monitoring And the response "data.attributes.suppression_query" is equal to "env:staging status:low" And the response "data.attributes.version" is equal to 2 - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Bad Request" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -2045,7 +2045,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Not Found" response Given new "UpdateSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" @@ -2053,7 +2053,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -2064,56 +2064,56 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}-Updated" And the response "id" has the same value as "security_rule.id" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "Bad Request" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"invalid": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "OK" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"aws": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 201 OK - @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "Bad Request" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":999999,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":1800,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "Bad Request" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"name" : "cold_harbour", "enabled": false, "rule_query":"rule:[A-Invalid", "data_exclusion_query": "not enough attributes"}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "OK" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail"}, "type": "suppressions"}}